Display Common IP Addresses

This Solution describes how to see which IP addresses generate the most traffic to your web servers. You can use a similar technique to find the most common values for other log fields, such as user agent or request URL.

A Solution is a step-by-step guide for accomplishing a specific task, designed to make sense even if you're just getting started with Scalyr server monitoring. If you're new to Scalyr, you should read the short Getting Started guide. For help with other tasks, see the Solutions directory.

Prerequisites

1. The Scalyr Agent should be installed on the server(s) you want to monitor, and should be configured to upload your access logs. In the Scalyr Agent configuration file, each access log should be tagged with parser: "accessLog".

If you're not sure you've done this, see the Analyze Access Logs solution. There, you will find instructions for ensuring your access logs are being uploaded and parsed.

Steps

  • In the navigation bar, click Search.
  • In the Expression box, enter $dataset = 'accesslog'.
  • Click the Search button. This will show data from all of your access logs.
  • Switch to the Facets tab.
  • Find the section for the "ip" field, and click the see more values link at the bottom of that section.

This will display the 100 IP addresses which generate the most traffic to your web servers. If you received more than 500,000 requests in the time period being queried, the result will be based on a random sample of 500,000 requests.

You can limit the search to requests for a particular web page, or requests to a particular server or server group. To do this:

  • Use the browser's Back button to return to the main Facets display.
  • Click on any value in any field, to limit the search based on that field. For instance, to view requests to particular server, find that server under the "serverHost" field.
  • Find the section for the "ip" field, and click the see more values link at the bottom of that section.

If your web traffic passes through a load balancer or other frontend tier, your access logs may show the address of the load balancer, rather than the end user. You can fix this by configuring your web server to log X-Forwarded-For headers, and adding the new field to your log parser. We'll be happy to help with this; just drop us an e-mail at support@scalyr.com.

Further Reading

To aggregate metrics across servers, see the Manage Groups of Servers solution.